On Thu, Dec 08, 2005 at 10:38:45PM -0800, Randall R Schulz wrote:
Henning,
On Thursday 08 December 2005 22:18, Henning Hucke wrote:
On Thu, 8 Dec 2005, Randall R Schulz wrote:
[...] I'm surprised so many very security-conscious people think that passwordless is such a good thing. Now you've made physical access to your computer all that is required to gain access to all the other hosts for which you've set up passwordless access. What's more, from the perspective of the administrators of those systems, it's you who has accessed their resources and you'll get the blame, at least initially, for any malicious actions.
Erm... Passwordless access to the other computers implies in the case of SSH that you first enable the necessary keys with your passphrase for your session. And even this you can cut down to the need to /regularly/ reauthenticate.
E.g., my office mate has passwordless access set up for all the hosts he regularly accesses (my company has literally thousands of hosts, of which we need to interact with dozens, if not hundreds, on a fairly regular basis).
All I have to do is walk over to his desk, say, when he goes to lunch, and do things that no one can readily tell were not done by him.
Note that if you leave an ssh or telnet session open to a remote host and leave for lunch, regardless of how you authenticated, someone can do the same to the remote host. Assuming he's using ssh-agent and not passwordless keys, your colleague has a couple of options available to him, if he's willing to look at the ssh-add manpage. You may wish to introduce him to "ssh-add -D", which he can run before leaving for lunch to delete all identities currently stored in the agent. Once he returns from lunch, he can then ssh-add them back. Alternatively, he can do 'ssh-add -x' to lock the agent with password, and 'ssh-add -X" with the same password to unlock it again. He can also use a timeout via ssh-add -t <time>. If he's using passwordless keys; well, ssh-agent(1) and ssh-add(1) are your friends. -- Steve Beattie SUSE Labs, Novell Inc. <sbeattie@suse.de> http://NxNW.org/~steve/